Fix symmetric key generation in strongbox
The strongbox flag was not passed to keystore by
AndroidKeyStoreKeyGeneratorSpi. As a result keys, that were supposed to
be generated in strongbox would silently be generated in TEE.
Test: There is no reliable way to test this other than instrumenting or
debugging the strongbox implementation. This was done by the
author of this patch.
Bug: 109769728
Change-Id: I8a08838440030fab7b774762c3d6af0d3b6a4ad8
diff --git a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
index 419eb24..953cef7d 100644
--- a/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
+++ b/keystore/java/android/security/keystore/AndroidKeyStoreKeyGeneratorSpi.java
@@ -301,6 +301,9 @@
KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(
mRng, (mKeySizeBits + 7) / 8);
int flags = 0;
+ if (spec.isStrongBoxBacked()) {
+ flags |= KeyStore.FLAG_STRONGBOX;
+ }
String keyAliasInKeystore = Credentials.USER_PRIVATE_KEY + spec.getKeystoreAlias();
KeyCharacteristics resultingKeyCharacteristics = new KeyCharacteristics();
boolean success = false;
@@ -314,8 +317,12 @@
flags,
resultingKeyCharacteristics);
if (errorCode != KeyStore.NO_ERROR) {
- throw new ProviderException(
- "Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
+ if (errorCode == KeyStore.HARDWARE_TYPE_UNAVAILABLE) {
+ throw new StrongBoxUnavailableException("Failed to generate key");
+ } else {
+ throw new ProviderException(
+ "Keystore operation failed", KeyStore.getKeyStoreException(errorCode));
+ }
}
@KeyProperties.KeyAlgorithmEnum String keyAlgorithmJCA;
try {